RFR: 8352728: InternalError loading java.security due to Windows parent folder permissions [v14]

Francisco Ferrari Bihurriet fferrari at openjdk.org
Wed Dec 10 16:02:02 UTC 2025 

On Wed, 10 Dec 2025 15:58:34 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:

>> I thought `normalize` will remove those `..` inside?
>
> The problem with [`Path::normalize`](https://docs.oracle.com/en/java/javase/25/docs/api/java.base/java/nio/file/Path.html#normalize()) is the following one:
>> Eliminating ".." and a preceding name from a path may result in the path that locates a different file than the original path. This can arise when the preceding name is a symbolic link.
> 
> This can be demonstrated with the following files structure:
> 
> 
> /tmp/a
> └── /tmp/a/b -> /tmp/x/y
> /tmp/x
> ├── /tmp/x/f2        (name=value)
> └── /tmp/x/y
>     └── /tmp/x/y/f1  (include ../f2)
> 
> 
> Which can be created with:
> 
> 
> mkdir -p /tmp/x/y /tmp/a
> echo 'include ../f2' >/tmp/x/y/f1
> echo 'name=value' >/tmp/x/f2
> ln -s /tmp/x/y /tmp/a/b
> 
> 
> Now let's assume we are processing `/tmp/a/b/f1`, `include ../f2` is computed as `included`:
> 
> 
> jshell -<<'EOF'
> Path current = Path.of("/tmp/a/b/f1");
> Path included = current.resolveSibling("../f2");
> System.out.println("                                      included: " +
>         included);
> System.out.println("                         included.toRealPath(): " +
>         included.toRealPath());
> System.out.println("included.toRealPath(LinkOption.NOFOLLOW_LINKS): " +
>         included.toRealPath(LinkOption.NOFOLLOW_LINKS));
> System.out.println("                          included.normalize(): " +
>         included.normalize());
> EOF
> 
> 
> Output:
> 
> 
>                                       included: /tmp/a/b/../f2
>                          included.toRealPath(): /tmp/x/f2
> included.toRealPath(LinkOption.NOFOLLOW_LINKS): /tmp/a/b/../f2
>                           included.normalize(): /tmp/a/f2
> 
> 
> But `/tmp/a/f2` doesn't exist:
> 
> 
> user at host:~$ cat /tmp/a/f2
> cat: /tmp/a/f2: No such file or directory
> 
> 
> To destroy the created directories and files use:
> 
> 
> rm -rf /tmp/x /tmp/a

If you prefer, I can leave the code as it is now, without applying the [suggested change](#discussion_r2594151432).

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/24465#discussion_r2607254651

More information about the security-dev mailing list